This content has been marked as final. Show 5 replies
Thanks Kalyan and Faisal. That's what I was afraid of, but I was hoping that maybe Oracle had started to respond to the OWASP directives.
Do you know whether there might be a reasonable way to extend WebLogic to have this capability? Or is this buried in the core of the application server?
Sorry for belaboring this, but I need to have a comprehensive mitigation for session hijacking. Using the same session id for the life of an extended session seems to me to be a major weakness.
Again, my thanks and regards.
I did, Faisal. They gave me some good feedback, but indicated that the product isn't capable of switching the session identifier token once it has been assigned.
It sounds like they've propagated the session id down into lower level objects, likely as a key for indexing lookups. So changing it on the fly isn't an option.
At this point, I'm starting to worry that the only adequate mitigation for session hijacking attempts is going with a pure-HTTPS site. And that seems to still have some large performance penalties for page rendering times, particularly on Internet Explorer 8 and 9.
My last remaining hope is that we might be able to use some sleight of hand in the Internet-facing load balancer. (Sigh!)
Thank you for all of your help. I really appreciate the guidance.